Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 General Discussions
Reload this Page Globalize(array);
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 05-29-2005, 12:22 PM
Cloudrunner's Avatar
Cloudrunner Cloudrunner is offline
 
Join Date: May 2003
Location: Butte, MT
Posts: 635
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Globalize(array);
Okay folks, I've been looking through the online documentations for VB3 and what not now that I have my life back and I have come to realize that I don't know how that function works....

I understand it's used to clean out any magic-quotes that are in the $_GET, $_POST, or $_REQUEST globals, but say I've a large array of $keys => $values, do I HAVE to put each individual $key in the globalize() function, or can I just use a foreach ($_POST AS $key => $value) loop and have it globalize the entire contents in one shot? (We're talking about a 50+ $key => $value array).
Reply With Quote
  #2  
Old 05-29-2005, 12:45 PM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Globalize CAN sanitize some values, but the main purpose is to make $_POST etc. vars available as normal variables.

You can not do any sanitisation on an array. You will have to treat each value as untrusted when processing.
Reply With Quote
  #3  
Old 05-29-2005, 12:51 PM
Cloudrunner's Avatar
Cloudrunner Cloudrunner is offline
 
Join Date: May 2003
Location: Butte, MT
Posts: 635
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by MarcoH64
Globalize CAN sanitize some values, but the main purpose is to make $_POST etc. vars available as normal variables.

You can not do any sanitisation on an array. You will have to treat each value as untrusted when processing.
So I'm basically stuck adding 50+ lines to the globalize array then?
PHP Code:
globalize($_POST, array(
    'userid' => INT,
    'username' => STR_NOHTML,
    'etc' => STR,
    'etc' => STR
)); 
That's gonna be a HUGE amount of lines for what I'm trying to do, and I'm not really comfortable having that much space taken up if I don't need to.

Is it absolutely required on a page, or does the define('NO_REGISTER_GLOBALS', 1); cover me on this?
Reply With Quote
  #4  
Old 05-29-2005, 01:11 PM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
No, you just globalize the array, then you make sure that you protect your sql-statements against injections when one of the array elements is used.
Reply With Quote
  #5  
Old 05-29-2005, 01:18 PM
Cloudrunner's Avatar
Cloudrunner Cloudrunner is offline
 
Join Date: May 2003
Location: Butte, MT
Posts: 635
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by MarcoH64
No, you just globalize the array, then you make sure that you protect your sql-statements against injections when one of the array elements is used.
[high] * Cloudrunner head starts to hurt...
[/high]

got the globalize, that's cool, but You've confused me with the injections. How does one protect from injections? Sorry to sound newbish, but the sql-injection protection thing is new to me....

are you talking about having a different site, page whatever throw the variables into the script so that the SQL uses those variables instead of the ones it's truly looking for?
Reply With Quote
  #6  
Old 05-29-2005, 01:38 PM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
You should protect all external variables used in sql-statements (and some other places) against possible injection of mallicious code. You can do this by forcing numbers to integer (ie. intval($mynumber)) or addslashes (ie. addslashes($myalphabetic)).
Reply With Quote
  #7  
Old 05-29-2005, 01:48 PM
Cloudrunner's Avatar
Cloudrunner Cloudrunner is offline
 
Join Date: May 2003
Location: Butte, MT
Posts: 635
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default
Quote:
Originally Posted by MarcoH64
You should protect all external variables used in sql-statements (and some other places) against possible injection of mallicious code. You can do this by forcing numbers to integer (ie. intval($mynumber)) or addslashes (ie. addslashes($myalphabetic)).
ah, okay, I do that already!

Thank you for the help!!!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 04:53 PM.

Contact Us - Archive - Top

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03867 seconds
  • Memory Usage 2,220KB
  • Queries Executed 13 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (1)bbcode_php
  • (3)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (7)post_thanks_postbit_info
  • (7)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 
Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete